Massive Yahoo hack 'evidence of industry’s complacency'
Data of 500 million Yahoo users has been stolen in what has been described as the largest hack of its kind to date, prompting cyber security experts to unleash an avalanche of criticism about the lack of circumspection in the industry.
Yahoo said it only discovered the attack, which took place in 2014, a few weeks ago while investigating reports of another breach. Email addresses, telephone numbers, dates of birth and encrypted passwords were stolen. That means users who protect their other Internet accounts with the same credentials are now at risk of having those other services hacked as well.
Yahoo said the affected system didn’t contain payment card data or bank account information.
However, the hackers took hold of unencrypted security questions, used to recover accounts and provide additional protection.
"One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted,” said Gavin Millard from Internet security firm Tenable Network Security.
“Most users would have used valid responses to questions like mother’s maiden name, first car, and first pet, which could lead to further exploitation and account misuse."
Alex Mathews from Positive Technologies hinted that storing such sensitive information in unencrypted form is a major failing on Yahoo’s part.
"If the investigation determines that this extremely sensitive information was stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers,” Mathews said.
"Any Yahoo customers would be prudent to change their passwords - although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age,” he added.
The hack, attributed to a state-sponsored attacker, was three times the size of the previous largest breaches.
"The fact that Yahoo has now confirmed the breach is no surprise - the scale however is,” said Troy Gill, manager of security research at AppRiver. “The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers' data, and I don’t think we've seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.”
The timing of the revelation couldn’t be less convenient for struggling Yahoo, which is hoping to sell its internet business to Verizon Communications. In July, the two firms agreed a price of $4.83bn but some experts have speculated Verizon may now push for renegotiating the deal.
"That would give Verizon the opportunity to renegotiate the terms or potentially walk away from the transaction if it is a material change,” said Steven Caponi, an attorney at K&L Gates with a practice including merger litigation. Material adverse change is a clause common in mergers allowing a buyer to walk away if its target's value deteriorates.
“Whether it is a material change will depend in large part on what kind of information was compromised," Caponi added.
Analyst Robert Peck of SunTrust Robinson Humphrey said the breach probably was not enough to prompt Verizon to abandon its deal with Yahoo, but it could call for a price decrease of $100m to $200m, depending on how many users leave Yahoo.
The Yahoo breach follows a rising number of large-scale data attacks and could make it a watershed event that prompts government and businesses to put more effort into bolstering defences, Dan Kaminsky, a well-known internet security expert, told Reuters.
Retailers and health insurers have been especially hard hit after high-profile breaches at Home Depot, Target Corp, Anthem and Premera Blue Cross.
"Five hundred of the Fortune 500 have been hacked," said Kaminsky. "If anything has changed, it's that these attacks are getting publicly disclosed."
Three US intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.
A former Yahoo employee said the Q&A were deliberately left unencrypted, which allowed Yahoo to catch fake accounts more easily because fake accounts tend to reuse questions and answers.